Threat Database Ransomware Zorro Ransomware

Zorro Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 4
First Seen: March 27, 2017
Last Seen: January 8, 2020
OS(es) Affected: Windows

The Zorro Ransomware is a ransomware Trojan that is used to force computer users to pay ransoms after taking its victim's files hostage. The Zorro Ransomware was first observed on March 24, 2017, and is being distributed through spam email attachments probably. The Zorro Ransomware is designed to infect computers using the Windows operating system and may be installed through the use of corrupted macro scripts contained in corrupted Microsoft Word or PDF files. PC security researchers consider that the Zorro Ransomware represents a real threat to the computer users' data. Because of this, they should take precautions to limit the damage these threat infections can cause to their computers.

How the Zorro Ransomware Carries out Its Attack

The Zorro Ransomware infection follows a pattern similar to most encryption ransomware Trojans. The Zorro Ransomware enters a computer automatically, scans all drives for certain file types, and then encodes these files using a strong encryption algorithm consisting of a combination of the RSA and AES encryptions. The Zorro Ransomware will target the files located in all local drives, including network storage and external memory devices connected to the infected machine. The Zorro Ransomware will avoid directories that include Windows, AppData, Program Files, Program Files (x86). Temp, ProgramData, and System Volume Information to ensure that the Zorro Ransomware attack does not stop Windows from working. This is because the Zorro Ransomware requires Windows to remain operational so that it can demand a ransom payment from the victim.

What Happens After the Zorro Ransomware Encrypts Its Victims’ Files?

The Zorro Ransomware marks all encrypted files with the extension '.zorro,' which is added to the end of each affected file's name. After encrypting the victim's files, the Zorro Ransomware delivers its ransom note. To do this, the Zorro Ransomware will drop a text file on the infected computer's desktop. This file, named 'Take_Seriously (Your saving grace).txt,' will demand the payment of 1 BitCoin (approx. $1000 USD at the current exchange rate) and include information on how to carry out the payment and contact the con artists. Below is the text of the Zorro Ransomware's ransom note:

DEAR Sir/Ma,
Sorry to inform you but your files has just been encrypted with a strong key. This simply mean that you will not be able to use your files until it is decrypted by the same key used in encrypting it. To get the Key, you have to make a payment to us so as to recover your files. You have the grace of 3 days from now to pay the sum of 1 BTC to the bitcoin address below:
BITCOIN ADDRESS:=>> 19DbpPPahyjVupryKZerpWZ2LG57JqYcgC
Today has just begun the count-down of the payment before your files become unstable and entirely useless. So, my advice to you is to pay up the amount to the bitcoin address above. Pay 1 BTC.
Bitcoin doesn't need a bank account - your bitcoin wallet is your bank account, and you don't need any permissions or paperwork to start using bitcoin. GOTO to change cash to bitcoins and vice versa, you don't need any kind of bank account at all.
When payment is made, a decrypting software with the embedded strong key used in encrypting your files will be emailed to you to decrypt your files and start using it again.

Dealing with the Zorro Ransomware Infection

Malware analysts do not advise computer users to pay the Zorro Ransomware ransom or to contact the people responsible for the attack. Instead, computer users are advised to take preemptive measures by creating file backups of all important files. Having backups allows computer users to disregard the Zorro Ransomware's ransom note completely, and instead, restore the affected files from the backup copy. The Zorro Ransomware infection itself can be removed with the help of a reliable security program that is fully up-to-date.

Related Posts


Most Viewed